Applying PCI DSS lessons to GDPR

By Steve Hancock, 7Safe PCI DSS Specialist / QSA |
15 September 2017

By now, every business should we aware that GDPR is coming and will be in place in May 2018. There are many things businesses must consider: consent, privacy impact assessments, right to be forgotten and so on. But the headline grabber, the thing that puts this way up the corporate agenda is the potential for eye-watering fines and penalties for breaches involving the loss or disclosure of personal data.

In order to prevent such breaches the Regulation requires that data processors implement “appropriate security of the personal data, including … technical or organisational measures (‘integrity and confidentiality’)” (Article 5). This is not new of course, the Data Protection Act already requires: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (Schedule 1).

Can PCI DSS help prepare organisations for GDPR?

So what can we learn from PCI DSS that is relevant to the need to protect personal data? Firstly, we recognise that the credit card data protected by PCI DSS is also personal data. In the case of a data breach at cosmetics and toiletries retailer, Lush, and insurance company, StaySure, the Information Commissioner noted the breach of PCI DSS and implied that compliance with PCI DSS would constitute evidence of having the appropriate technical and organisational measures. If the requirements of PCI are a good benchmark for securing credit card data, why not for other personal data?

Every PCI DSS assessor is well aware that when organisations start to seek PCI DSS compliance they typically fall short in many areas and often have to go through lengthy remediation programmes. Further, one of the first steps taken is usually to reduce the scope of the cardholder data environment. It is clear that one reason for this is to limit the scope of the infrastructure to which PCI DSS applies and thereby limit the ‘burden’ of meeting the requirements. Whilst segmenting the network to confine credit card data in this way is not a requirement of PCI DSS, it is standard practice and is encouraged. In effect though, businesses following this approach are really saying, “credit card data we care about – all the other personal data we hold, not so much”.

So the first two lessons for GDPR from PCI DSS are:

PCI DSS is a good benchmark for what regulators mean by appropriate security measures; and

Many organisations do not meet that standard for protecting personal data.

However, there is a more positive side to de-scoping for PCI DSS. One of the most effective responses is to apply risk avoidance or risk transference, in other words, avoid the risk of disclosing credit card data by ceasing to hold or process it. There are a number of ways to achieve this:

Ceasing the activity. With respect to personal data, businesses should ask themselves “do we really need to hold this data?”

Modifying the process as when, for example, a merchant’s web page redirects to a payment processor’s page before any card data is collected. Or removing telephone data from scope by processing card data as DTMF tones handled by a specialist external telecoms company. - Could similar approaches work for other personal data?

Replacing card data with tokenised values so that if disclosed it is meaningless. There may be opportunities for tokenising, anonymising or pseudonymising other personal data.

# # #

PCI DSS Services

Looking for PCI QSA services or expert advice about how to implement the standard?

7Safe's established Scope-Gap-Audit model will help you to ensure that the PCI DSS requirements only impact those systems, employees and 3rd parties that need to be involved in handling card data and for you to understand exactly what you need to do in order to achieve compliance.

Our approach will also help you to adopt those requirements into your regular BAU activities in order to ensure that you retain your compliance with minimal cost and upheaval through future years.

Click through to 7Safe’s Risk and Compliance pages or speak to one of our trained advisers in complete confidence on +44 (0)1763 285 510.